CVE-2021-36154
Description
HTTP2ToRawGRPCServerCodec in gRPC Swift ≤1.1.1 allows denial of service via many small messages in a single HTTP/2 frame causing uncontrolled recursion and stack consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HTTP2ToRawGRPCServerCodec in gRPC Swift ≤1.1.1 allows denial of service via many small messages in a single HTTP/2 frame causing uncontrolled recursion and stack consumption.
Vulnerability
[1][2] The vulnerability exists in the HTTP2ToRawGRPCServerCodec component of gRPC Swift versions 1.0.0, 1.1.0, and 1.1.1. It is triggered when an attacker delivers many small messages within a single HTTP/2 frame, leading to uncontrolled recursion and stack consumption.
Exploitation
An attacker with network access can send a crafted HTTP/2 frame containing multiple small messages. The server will recursively process these messages, causing deep recursion and eventual stack exhaustion.
Impact
Successful exploitation results in denial of service due to stack exhaustion, causing the server process to crash or become unresponsive.
Mitigation
The issue has been fixed in gRPC Swift version 1.2.0 [4]. Users must upgrade to this version or later. No workaround is available [2]. The 1.x line is in maintenance mode, but security fixes will still be applied [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grpc/grpc-swiftSwiftURL | < 1.2.0 | 1.2.0 |
Affected products
2- gRPC Swift/gRPC Swiftdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-4rhq-vq24-88gwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36154ghsaADVISORY
- bugs.chromium.org/p/oss-fuzz/issues/detailghsax_refsource_MISCWEB
- github.com/grpc/grpc-swift/releasesmitrex_refsource_MISC
- github.com/grpc/grpc-swift/releases/tag/1.2.0ghsaWEB
- github.com/grpc/grpc-swift/security/advisories/GHSA-4rhq-vq24-88gwghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.